By Rhonda Chicone, School of Business and Information Technology
The Software Lay of the Land
No one can dispute that software is everywhere; just pick up your smartphone and take a look at the applications you have installed. Some reports suggest that by 2017, there will be more smartphones in the world than people. Yet smartphones are old news. These days we’re hearing a lot about the “Internet of Things” (IoT), which includes embedded software systems that control wearables (a Fitbit or Apple Watch, for example), software that controls machines that talk to other machines, and smart sensors that are making household environments intelligent and responsive. The smartphone and IoT widgets are great, and software is what makes them come alive. The demand for highly skilled software developers will continue to rise, as
An Example of What Could Go Wrong
Go back to your smartphone. Do you happen to have a banking application on it? If not, let us imagine you do. Imagine a scenario where the banking application has a flaw (otherwise known as a bug) that is not detected by the end user (you). In
Let us get back to your banking software application.
Those of you who are technically savvy may be saying, “What about SSL or TLS?” Secure Sockets Layer (SSL) and Transport Security Layer (TLS) are cryptographic software protocols that secure information traveling over a computer network (remember the Internet is a gigantic network of computers). To use SSL/ TLS correctly, organizations (or individuals) purchase a certificate from a Certificate Authority (CA). In this example, your bank would purchase the SSL/TLS certificate from a CA, and it would be installed and configured on your bank’s web server (the web server is a software application that resides on a physical server/computer). When you browse to a website and ‘https’ is used in the web address (https://www.myfavbank.com) (or you see the little lock icon) the “s” means that your bank uses SSL/TLS. Popular browsers like Chrome, Firefox, Safari, Internet Explorer, etc., are software applications that use SSL/TLS certificates correctly.
One of the first steps in using SSL/TLS correctly is to validate the certificate to be sure that the CA digitally signed it, as that means it can be trusted. The banking software application that you have been using on your smartphone also uses only trusted certificates in a similar way to your web browser. Now imagine if the certificate was not validated correctly in the banking software application. This would mean your banking information (username, password) is traveling over the Internet unprotected.
A vulnerability, such as not validating a good certificate or trusting a bad certificate, could be caused by poor software development or software testing procedures. In 2014, a cybersecurity researcher at the Software Engineering Institute’s CERT Coordination Center (CERT/CC) created an open source tool (a set of existing software applications packaged together and made available to the public) to help detect MITM vulnerabilities like the one in the banking software application example. The researcher automated the software system and tested 1 million applications and found 23,000+ Android software applications didn’t validate the SSL/TLS certificate correctly (Dormann, 2015).
What Can We Do to Reduce Cybercrime?
Dormann, W. (2015, August 21). Announcing CERT Tapioca for MITM Analysis. Message posted to http://www.cert.org/blogs/certcc/post.cfm?EntryID=203
Maslennikov, D. (2011).